While I don't think you need to alter your router's role, you won't (as far as I understand know) be able to ssh into 2 different boxes using the same port. You'll need to forward 2 different ports to accomplish this. I'd also stay away from forwarding 22 - as it is a commonly scanned port - you might want to consider using a higher numbered port. Moving standard services to non-standard ports is generally a good idea unless for some reason this is not an option.
S >From: kevin mudrick <[EMAIL PROTECTED]> >To: Charles Steinkuehler <[EMAIL PROTECTED]> >CC: <[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] routed subnet & dmz help >Date: Tue, 5 Mar 2002 12:02:33 -0500 (EST) > > >Charles, > >Thanks for the followup (and, of course for doing such a great job with >your leaf distros). > >I think I'm confusing myself, actually. Basically, I have 3 computers on >my home network that I'd like to be able to access remotely, through my >dsl modem, connected to the router box. I like the advantage of having a >box firewall off all ports I don't want the public accessing, but I don't >really need IP Masq, I guess, because my ISP is giving me a routed subnet >- so I guess I can assign those addresses to my 3 computers behind the >leaf box. > >Yes, I made a typo with 216.158.54.224/229 - should be /29 ;) > >I guess what I am asking is - what role should my leaf box be >(IPFILTER_SWITCH)? I just want to be able to access the different boxes >in my house with different ip addresses, using the routed subnet i have. >This way, I can say, ssh into two different boxes on port 22. > >Does this clarify things a bit? Am I totally off, or going in the right >direction? > >Thanks, >Kevin > > > > Several things. First of all, the DMZ scripts are designed to create a >DMZ > > network...a third network for server (and other publicly visable) >systems > > that is completely seperate from both your external interface and the > > internal network. Trying to overlap the DMZ network on the same network > > segment as your internal network will simply create confusion, and >probably > > won't work without modifying the default scripts. > > > > Another major error is the DMZ configuration. You have a routed DMZ, >which > > means the DMZ IP's should be public (in the 216.158.54.224/229 range, if >I'm > > understanding your config file, although I hope that 229 is actually >"29" > > with a typo, otherwise I'm really confused), rather than the private >IP's > > you've assigned. With nothing in place to translate your public IP's to >the > > private IP's used internally, you won't have any external connectivity. >If > > you want to keep the private IP's internally, you'll at least need to >setup > > a static NAT entries for each public IP (or range of IP's). > > > > I strongly suggest you post details on exactly what you're trying to > > accomplish. In general, providing internal systems with public IP's, >and > > making them visible from the internet is a high security risk. There >may be > > a way to provide the functionality you're after in a more secure way, >that > > would also fit better with the default firewall rules. The setup I >think > > you're trying to achieve is possible, but you'll have to re-work a lot >of > > network and firewall configuration manually. > > >-- > (kevin mudrick) ([EMAIL PROTECTED]) (www.bleachedwhale.com) > pgp key available at http://www.bleachedwhale.com/kevinGPG.asc > > Despair: It's always darkest just before it goes pitch black. > > >_______________________________________________ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.; _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
